WP-Safety

AR for WooCommerce Security & Risk Analysis

wordpress.org/plugins/ar-for-woocommerce

Augmented Reality for WooCommerce plugin lets you display 3D models and AR products directly in your store with no app required.

90 active installs v8.34 PHP + WP 5.5+ Updated Mar 12, 2026
3daraugmented-realitymodel-viewerwoocommerce
97
A · Safe
CVEs total1
Unpatched0
Last CVEOct 28, 2024
Plugin page Download
Safety Verdict

Is AR for WooCommerce Safe to Use in 2026?

Generally Safe

Score 97/100

AR for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 28, 2024Updated 23d ago
Risk Assessment

The "ar-for-woocommerce" plugin version 8.34 presents a mixed security posture. On the positive side, the plugin demonstrates good practices in handling SQL queries, with 100% using prepared statements, and a high percentage of its output being properly escaped. The presence of numerous nonce and capability checks also indicates an awareness of common WordPress security mechanisms. However, there are significant areas of concern, particularly regarding the exposed attack surface. A notable number of AJAX handlers and REST API routes lack essential authentication and permission checks, creating potential entry points for unauthorized actions.

Further examination reveals a potentially dangerous function, unserialize, which, if used with untrusted input, could lead to serious vulnerabilities. While taint analysis did not reveal critical or high-severity issues in this version, the presence of flows with unsanitized paths warrants caution. The plugin's vulnerability history is particularly alarming, with a past critical CVE related to unrestricted file uploads. The absence of currently unpatched vulnerabilities is positive, but the pattern of past critical issues, especially involving file handling, suggests a recurring risk area that needs vigilant monitoring.

In conclusion, while "ar-for-woocommerce" has implemented some strong security measures, the substantial number of unprotected entry points and the history of critical vulnerabilities, specifically in file handling, represent significant risks. Users should exercise caution and ensure the plugin is regularly updated, and ideally, the developers should prioritize addressing the unprotected attack surface.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Dangerous function unserialize found
  • Flows with unsanitized paths
  • Past critical CVE: Unrestricted Upload
Vulnerabilities
1

AR for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1

1 total CVE

CVE-2024-50510critical · 9.8Unrestricted Upload of File with Dangerous Type

AR For Woocommerce <= 6.2 - Unauthenticated Arbitrary File Upload

Oct 28, 2024 Patched in 7.0 (46d)
Code Analysis
Analyzed Mar 16, 2026

AR for WooCommerce Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
11 prepared
Unescaped Output
58
2036 escaped
Nonce Checks
32
Capability Checks
14
File Operations
25
External Requests
16
Bundled Libraries
0

Dangerous Functions Found

unserialize$plugins = unserialize( $r['body']['plugins'] );ar-updates.php:18

SQL Query Safety

100% prepared11 total queries

Output Escaping

97% escaped2094 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

18 flows5 with unsanitized paths
save_ar_variation (ar-wc-functions.php:29)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

AR for WooCommerce Attack Surface

Entry Points35
Unprotected8

AJAX Handlers 18

authwp_ajax_ar_copy_file_actionar-wc-functions.php:584
noprivwp_ajax_ar_copy_file_actionar-wc-functions.php:585
authwp_ajax_ar_process_user_imagear-woocommerce.php:133
noprivwp_ajax_ar_process_user_imagear-woocommerce.php:134
authwp_ajax_ar_get_fresh_noncear-woocommerce.php:137
noprivwp_ajax_ar_get_fresh_noncear-woocommerce.php:138
authwp_ajax_set_ar_featured_imageincludes\ar-add-media.php:14
noprivwp_ajax_set_ar_featured_imageincludes\ar-add-media.php:15
authwp_ajax_ar_dismiss_update_noticeincludes\ar-settings.php:1824
authwp_ajax_ar_wc_upload_fileincludes\ar-wc-security.php:22
noprivwp_ajax_ar_wc_upload_fileincludes\ar-wc-security.php:23
authwp_ajax_ar_wc_onboarding_toggle_tourincludes\onboarding\class-ar-wc-onboarding.php:21
authwp_ajax_get_ar_contenttemplates\woocommerce\single-product\gallery-product-image.php:59
noprivwp_ajax_get_ar_contenttemplates\woocommerce\single-product\gallery-product-image.php:60
authwp_ajax_get_ar_contenttemplates\woocommerce\single-product\gallery-product-image.php:148
noprivwp_ajax_get_ar_contenttemplates\woocommerce\single-product\gallery-product-image.php:149
authwp_ajax_get_ar_contenttemplates\woocommerce\single-product\product-image.php:52
noprivwp_ajax_get_ar_contenttemplates\woocommerce\single-product\product-image.php:53

REST API Routes 11

GET/wp-json/ar-wc-display/models/ar-wc-api.php:31
POST/wp-json/ar-wc-display/update/ar-wc-api.php:40
POST/wp-json/ar-wc-display/delete/ar-wc-api.php:49
POST/wp-json/ar-wc-display/featuredimage/ar-wc-api.php:57
POST/wp-json/arforwp/v2/set_ar_featured_image/includes\ar-add-media.php:33
POST/wp-json/ar/v1/ardisplay_ai/jobsincludes\ardisplay_ai\class-ardisplay-ai-rest.php:21
GET/wp-json/ar/v1/ardisplay_ai/jobs/(?P<id>[^/]+)includes\ardisplay_ai\class-ardisplay-ai-rest.php:28
POST/wp-json/ar/v1/provider/sf3d/webhookincludes\ardisplay_ai\class-ardisplay-ai-rest.php:34
GET/wp-json/ar/v1/ardisplay_ai/creditsincludes\ardisplay_ai\class-ardisplay-ai-rest.php:40
POST/wp-json/ar/v1/ardisplay_ai/credits/syncincludes\ardisplay_ai\class-ardisplay-ai-rest.php:46
POST/wp-json/ar/v1/ardisplay_ai/credits/webhookincludes\ardisplay_ai\class-ardisplay-ai-rest.php:52

Shortcodes 6

[ardisplay] includes\ar-class.php:39
[ar-display] includes\ar-class.php:40
[ar-view] includes\ar-class.php:41
[ar-qr] includes\ar-class.php:42
[ar-gallery] includes\ar-class.php:43
[ar-user-upload] includes\ar-class.php:44
WordPress Hooks 97
actionadmin_enqueue_scriptsar-model-fields.php:11
actionadmin_enqueue_scriptsar-model-fields.php:12
actionadmin_enqueue_scriptsar-model-fields.php:13
filterwoocommerce_product_data_tabsar-model-fields.php:25
actionwoocommerce_product_data_panelsar-model-fields.php:163
actionadmin_headar-model-fields.php:195
actionwoocommerce_new_productar-model-fields.php:200
actionwoocommerce_update_productar-model-fields.php:201
actionwoocommerce_save_product_variationar-model-fields.php:202
actionplugins_loadedar-model-fields.php:206
actionadmin_print_scriptsar-model-fields.php:208
actionwoocommerce_variation_headerar-model-fields.php:1826
filterhttp_request_argsar-updates.php:35
actionar_woo_check_eventar-updates.php:50
actionrest_api_initar-wc-api.php:30
actionrest_api_initar-wc-api.php:39
actionrest_api_initar-wc-api.php:48
actionrest_api_initar-wc-api.php:56
actionwp_enqueue_scriptsar-wc-functions.php:480
filterwoocommerce_add_to_cart_validationar-wc-functions.php:496
filterupload_dirar-wc-functions.php:518
filterwoocommerce_add_cart_item_dataar-wc-functions.php:548
filterwoocommerce_get_item_dataar-wc-functions.php:559
actionwoocommerce_checkout_create_order_line_itemar-wc-functions.php:575
filterwp_kses_allowed_htmlar-wc-functions.php:663
actionwidgets_initar-widgets.php:101
actionelementor/widgets/registerar-widgets.php:111
actioninitar-woocommerce.php:22
actioninitar-woocommerce.php:36
actionplugins_loadedar-woocommerce.php:42
actionbefore_woocommerce_initar-woocommerce.php:50
actiondo_faviconicoar-woocommerce.php:79
actioninitar-woocommerce.php:92
actionar_cleanup_temp_filear-woocommerce.php:263
actionmanage_product_posts_custom_columnar-woocommerce.php:274
actionwp_enqueue_scriptsar-woocommerce.php:301
filtermanage_edit-product_columnsar-woocommerce.php:319
filterwoocommerce_settings_tabs_arrayar-woocommerce.php:322
actionwoocommerce_settings_ar_displayar-woocommerce.php:329
filterplugin_action_links_ar-for-woocommerce/ar-woocommerce.phpar-woocommerce.php:332
filterplugin_row_metaar-woocommerce.php:344
actioninitar-woocommerce.php:353
actioninitgutenberg-block\gutenberg-block.php:49
filterblock_categories_allgutenberg-block\gutenberg-block.php:65
actionwp_enqueue_scriptsincludes\ar-add-media.php:27
actionadmin_enqueue_scriptsincludes\ar-add-media.php:28
actionrest_api_initincludes\ar-add-media.php:31
actioninitincludes\ar-analytics.php:133
actioninitincludes\ar-analytics.php:134
actionrest_api_initincludes\ar-analytics.php:135
actionadmin_menuincludes\ar-analytics.php:136
actionadmin_enqueue_scriptsincludes\ar-analytics.php:137
actionwp_dashboard_setupincludes\ar-analytics.php:138
actionar_analytics_purge_eventsincludes\ar-analytics.php:139
actioninitincludes\ar-analytics.php:1935
actionwp_footerincludes\ar-class.php:158
actionadmin_footerincludes\ar-class.php:184
actionwp_footerincludes\ar-class.php:494
actionwp_footerincludes\ar-file-handling.php:278
actionwp_enqueue_scriptsincludes\ar-initialise.php:91
actionwp_enqueue_scriptsincludes\ar-initialise.php:155
actionwp_footerincludes\ar-initialise.php:157
actionadmin_initincludes\ar-initialise.php:250
filterupload_mimesincludes\ar-initialise.php:441
filterwp_check_filetype_and_extincludes\ar-initialise.php:482
filterupload_mimesincludes\ar-initialise.php:524
filterscript_loader_tagincludes\ar-initialise.php:552
actionshutdownincludes\ar-initialise.php:568
actionadmin_footerincludes\ar-initialise.php:646
actionpre_get_postsincludes\ar-initialise.php:652
filterhmwp_process_initincludes\ar-initialise.php:779
filtersgs_whitelist_wp_contentincludes\ar-initialise.php:789
actionadmin_menuincludes\ar-model-shop.php:10
actionadmin_enqueue_scriptsincludes\ar-model-shop.php:27
actionadmin_post_import_filesincludes\ar-model-shop.php:93
actionwp_footerincludes\ar-model-shop.php:232
actionadmin_initincludes\ar-settings.php:1679
actionadmin_noticesincludes\ar-settings.php:1691
actionadmin_noticesincludes\ar-settings.php:1813
filterwoocommerce_single_product_image_thumbnail_htmlincludes\ar-settings.php:2109
actionwp_footerincludes\ar-settings.php:2110
actionwp_footerincludes\ar-settings.php:2118
actioninitincludes\ar-settings.php:2122
actionwp_enqueue_scriptsincludes\ar-standalone.php:8
actionwp_headincludes\ar-standalone.php:24
actionwoocommerce_before_shop_loop_item_titleincludes\ar-storefront-badge.php:447
actionwoocommerce_single_product_summaryincludes\ar-storefront-badge.php:470
actionwp_enqueue_scriptsincludes\ar-storefront-badge.php:513
actionwp_enqueue_scriptsincludes\ar-user-upload.php:17
actioninitincludes\ar-wc-security.php:20
filterupload_mimesincludes\ar-wc-security.php:21
actionsend_headersincludes\ar-wc-security.php:31
filterwp_handle_upload_prefilterincludes\ar-wc-security.php:34
filterrest_pre_serve_requestincludes\ar-wc-security.php:37
filterwoocommerce_rest_prepare_product_objectincludes\ar-wc-security.php:40
actionrest_api_initincludes\ardisplay_ai\class-ardisplay-ai-rest.php:16
actionadmin_enqueue_scriptsincludes\onboarding\class-ar-wc-onboarding.php:20

Scheduled Events 4

ar_woo_check_event
ar_cleanup_temp_file
ar_analytics_purge_events
ar_cron
Maintenance & Trust

AR for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version
Downloads19K

Community Trust

Rating100/100
Number of ratings5
Active installs90
Alternatives

AR for WooCommerce Alternatives

AR for WordPress

AR for WordPress

ar-for-wordpress

C
68

Augmented Reality for WordPress lets you showcase 3D models in an interactive viewer and AR on iOS and Android, with no app downloads needed.

400 1 unpatched
SwiftXR (3D/AR/VR) Viewer

SwiftXR (3D/AR/VR) Viewer

swiftxr-3darvr-viewer

B
70

Easily enhance customer engagement with immersive 3D, AR, and VR experiences

100 1 unpatched
TouchTry Eye Fit

TouchTry Eye Fit

touchtry-eye-fit

A
100

Bring immersive Augmented Reality (AR) try-on experiences for eyewear products directly to your WooCommerce store.

10 No CVEs
AR/3D Product Viewer & Try-On

AR/3D Product Viewer & Try-On

aryel-ar-3d-product-viewer-try-on

A
100

Connect your online store to Aryel and allow your customers to access realistic and true-to-size product previews and virtual try-ons in just 1 click.

0 No CVEs
Byrst 3D for WooCommerce

Byrst 3D for WooCommerce

byrst-3d-for-woocommerce

A
92

Byrst 3D for WooCommerce: Create and Display 3D Models of Your Products in 3D & AR

0 No CVEs
Developer Profile

AR for WooCommerce Developer Profile

webandprint

2 plugins · 490 total installs

82
trust score
Avg Security Score
83/100
Avg Patch Time
19 days
View full developer profile
Detection Fingerprints

How We Detect AR for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ar-for-woocommerce/includes/ar-wc-security.css/wp-content/plugins/ar-for-woocommerce/assets/css/ar-admin.css/wp-content/plugins/ar-for-woocommerce/assets/css/ar-frontend.css/wp-content/plugins/ar-for-woocommerce/assets/js/ar-admin.js/wp-content/plugins/ar-for-woocommerce/assets/js/ar-frontend.js/wp-content/plugins/ar-for-woocommerce/assets/js/ar-model-viewer.js/wp-content/plugins/ar-for-woocommerce/gutenberg-block/build/block.js/wp-content/plugins/ar-for-woocommerce/gutenberg-block/build/block.editor.js+1 more
Script Paths
/wp-content/plugins/ar-for-woocommerce/assets/js/ar-admin.js/wp-content/plugins/ar-for-woocommerce/assets/js/ar-frontend.js/wp-content/plugins/ar-for-woocommerce/assets/js/ar-model-viewer.js/wp-content/plugins/ar-for-woocommerce/gutenberg-block/build/block.js/wp-content/plugins/ar-for-woocommerce/gutenberg-block/build/block.editor.js/wp-content/plugins/ar-for-woocommerce/assets/js/ar-color-functions.js
Version Parameters
ar-for-woocommerce/assets/css/ar-admin.css?ver=ar-for-woocommerce/assets/css/ar-frontend.css?ver=ar-for-woocommerce/assets/js/ar-admin.js?ver=ar-for-woocommerce/assets/js/ar-frontend.js?ver=ar-for-woocommerce/assets/js/ar-model-viewer.js?ver=ar-for-woocommerce/gutenberg-block/build/block.js?ver=ar-for-woocommerce/gutenberg-block/build/block.editor.js?ver=ar-for-woocommerce/assets/js/ar-color-functions.js?ver=

HTML / DOM Fingerprints

CSS Classes
ar-wrapperar-product-previewar-add-to-cart-buttonar-gallery-itemar-model-viewer-containerar-wc-settings-pagear-wc-add-model-buttonar-qr-code-preview
HTML Comments
<!-- AR for WooCommerce: AI Generator Fallback --><!-- AR for WooCommerce: Settings Panel --><!-- AR for WooCommerce: Frontend Product Display --><!-- AR for WooCommerce: Gallery Builder -->+3 more
Data Attributes
data-ar-model-srcdata-ar-product-iddata-ar-gallery-iddata-ar-qr-datadata-ar-standalone-urldata-ar-gutenberg-block
JS Globals
ar_frontend_paramsar_admin_paramsar_model_viewer_paramsar_gutenberg_block_paramsAR_WC_Onboarding
REST Endpoints
/wp-json/ar-for-woocommerce/v1/process-image/wp-json/ar-for-woocommerce/v1/get-models/wp-json/ar-for-woocommerce/v1/update-settings/wp-json/ar-for-woocommerce/v1/generate-qr-code
Shortcode Output
[ar_product_viewer][ar_gallery][ar_qr_generator][ar_standalone_viewer]
FAQ

Frequently Asked Questions about AR for WooCommerce